automating network security profiles
play

Automating Network Security Profiles Vivek Kashyap Senior - PowerPoint PPT Presentation

Mar 21, 2024 •26 likes •226 views

Automating Network Security Profiles Vivek Kashyap Senior Technical Staff Member Linux Technology Center IBM Cloud Interface Image Cloud Controller repository Domain-N Control Domain-1 Control Image Image Image Host 1 Application

  1. Automating Network Security Profiles Vivek Kashyap Senior Technical Staff Member Linux Technology Center IBM

  2. Cloud Interface Image Cloud Controller repository Domain-N Control Domain-1 Control Image Image Image Host 1 Application Host 1 Application Application Operating Operating Operating System System System Host 2 Host 2 Virtual Server Virtual Server Virtual Server Virtualization Host 3 Host 3 Compute Domain n Domain 1 Storage Memory Network Multiple images deployed on physical nodes in the DataCenter/Cloud ● Network isolation a must for a viable multi-tenant solution ● Collaborative applications may be on same virtual network ● vivk@us.ibm.com Linux Collaboration Summit, 2011 2

  3. Network View Port Profile VM VM VM VM VM VM VM VM Virtual Switch Server VM VM VM VM Switch Virtual Switch Switch Switch Domain Edge Port External Network Definition External Network DataCenter consists of large number of physical and virtual switches ● Applications with different network profiles ─ Host vswitch provides guest-guest switching, filtering, bandwidth control ● Error-prone managing large deployments ─ Virtual switch is not integrated with network fabric management ─ inconsistencies and manual verification > For load-balancing, resiliency the KVM guests are mobile ● Network policies must continue to be applied to the KVM guest workload ─ Manually ensure target are correctly configured to support network profiles > Physical port security/profiles need to be re-programmed with mobility > vivk@us.ibm.com Linux Collaboration Summit, 2011

  4. Linux Virtual Networking Linux/KVM VM VM VM VM VM VM VM VM VM … … … VEB * * VEB F : PF VF VF VF PCIe VEB Adapter PCIe * Enet Port IOV Enet Port * Packet switching and filtering function Adjacent Switch * vivk@us.ibm.com Linux Collaboration Summit, 2011 4

  5. Automating Physical/Virtual Switching Edge Virtual Bridging: IEEE 802.1Qbg Linux/KVM Offload switching function to external ● bridge VM VM VM VM VM VM VM VM VM … … … VM's virtual interface directly tied to ─ physical switch port policies VEPA * VEB Simplified VEPA (Virtual Ethernet ─ Port Aggregator) bridging in F F hypervisor to send all packets to PCIe PCIe adjacent bridge. Adapter Adapter Enet Port Enet Port Provides packet replication of > Port in inbound frames. Reflective Physical switch port put in 'reflective ─ Relay relay' mode Mode * Sends packets back over same port > Adjacent Switch Con : Introduces limited latency ● VEPA: Virtual Ethernet Port Aggregator VEB: Virtual Ethernet Bridge (or, Linux bridge) vivk@us.ibm.com Linux Collaboration Summit, 2011 5

  6. How Does it Work?  The network profile – Used by one or more VMs – Unique id – Stored in database Port Profile  Switch advertises 802.1Qbg support VM Database VM VMVMVM VM VMVM  Linux/KVM host receives vSwitch VEPA advertisement (a.k.a. VEB) – Configures switch port in VEPA VM VMVMVM (hairpin_mode) Switch VEB – Offloads switching function Switch Switch  Linux/KVM sends to switch – unique id of network profile Domain Edge External Network External Network – MAC/VLAN information Port Definition  Switch retrieves profile – Enforces bandwidth, Access controls vivk@us.ibm.com Linux Collaboration Summit, 2011 6

  7. Creating a KVM Guest On success from step Server 5, libvirt instantiates System and starts the VM Admin Request creation Linux 7 of VM. Send VSI host state*, MAC Libvirt address, VLAN id. LLDPAD Apps Apps CIM EDP/VDP 4 User Space VM VM 3 Libvirt Daemon Create new VM’s network System state (i.e. MAC Manager KVM with VEPA Address, VLAN ID, VSI state*) 5 VSI Discovery VM begins 8 and communication, Configuration through KVM VEPA Protocol (VDP) Query available VSI 2 associate types Load VSI Obtain a VSI instance Type 6 Switch (a.k.a. Bridge) Network Admin Network (VSI Type) Manager Create set 0 L2 net(s) VSI Type of VSI Database Types *VSI state consists of the following: VSI Manager ID, VSI Instance ID, VSI Type ID, VSI Type Version. vivk@us.ibm.com Linux Collaboration Summit, 2011 7

  8. Simple extension to libvirt The VSI state is specified using the following domain XML extension ● <interface type='direct'/> <source dev='device name' mode='vepa' /> <model type='virtio'/> <virtualport type='802.1Qbg'> <parameters managerid='12' typeid='0x123456' typeidversion='1' instanceid='insert-uuid-here' /> </virtualport> </interface> Libvirt parses 'virtualport type' ● Sends netlink message with 'ASSOCIATE' request to LLDPAD ─ LLDPAD sends ASSOCIATE VDP message ─ Returns success or failure ─ On success KVM guest is created ─ vivk@us.ibm.com Linux Collaboration Summit, 2011 8

  9. Migration Steps VM is brought 7 on-line after VDP completes Pre-Associate Source Server Target Server System Admin to server’s migrate VM virtualization Apps Apps Apps Apps infrastructure Push VM Move VM VM VM VM VM Manager 1 4 VEB or VEPA VEB or VEPA Associate & Start-up VM 5 VDP Pre-Associate Move to VDP 2 VDP 6 with Resource Pre-Associate Associate Reservation state 8 VSI After target Switch 3 Manager VM up, De- Switch (a.k.a. Bridge) Associate and Retrieve (a.k.a. Bridge) terminate VM VSI VSI Type Information Database L2 net(s) vivk@us.ibm.com Linux Collaboration Summit, 2011 9

  10. Automatic Host based Virtual Switching Host vswitch ● Linux bridge + ebtables/iptables + tc ─ OpenVswitch (not in mainline) ─ Administrative simplification: Associate filter rules to Virtual machines ● Rules enforced in the kernel when guest started ─ Rules torn down when the guest is terminated ─ Rules may be modified at runtime ─ Rules may contain macros which get instantiated at runtime ─ IP Address, MAC address , more possible > » DHCP Snooping/first packet to determine IP Address vivk@us.ibm.com Linux Collaboration Summit, 2011 10

  11. Example Filter <filter name='no-ip-spoofing' chain='ipv4'> <uuid>fce8ae33-e69e-83bf-262e-30786c1f8072</uuid> <rule action='drop' direction='out' priority='500'> <ip match='no' srcipaddr='$IP'/> </rule> </filter> This filter may now be referenced with any guest by adding to the 'interface' element in the guest domain: <interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source bridge='br1'/> <ip address=$IP/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='no-ip-spoofing'/> </interface> vivk@us.ibm.com Linux Collaboration Summit, 2011 11

  12. Status Linux 2.6.34 onwards ● VEPA mode (for IEEE 802.1Qbg support) ─ Bridging between virtual interfaces ─ Vhost-net interface for Qemu ─ GSO/GRO acceleration for macvtap ─ Libvirt 0.8.7 (http://libvirt.org/formatnwfilter.html) ● VEPA and VSI support ─ Netlink notifications for VDP protocol (to LLDPAD) > Support for host based filter rules ─ LLDPAD: ● Version lldpad 0.9.41 (open-lldp.org) ─ EVB TLVs, ECP/VDP > Libvirt-CIM: 0.5.12 ● Support for specifying VEPA, VSI state ─ vivk@us.ibm.com Linux Collaboration Summit, 2011 12

  13. A peek into the Future: Network Profile Automation Network extensions - Include filters in the Virtual Machine meta-data (e.g. in the OVF) Image - Filters takes macros, that are instantiated at deployment (as shown with libvirt) library - Management tooling uses it to create libvirt rules or vis data profiles OVF Query available port profile types B Port Profile DB VM C Port Profile Schema 1 Database Manager DB Client Interface Push VM & vPort DB-to-switch Linux/KVM: 2 Interface Switch Edge Retrieve Port VM Edge D Configuration to Configuration 4 • CIM provider (libvirt-CIM) VM Host or direct libvirt interface • Based on host capabilities VM and domain policy: A VM • Create ACL rules utilizing L2 net(s) vSwitch 3 the linux virtualization library(libvirt) VM vPort Discovery or VM • Create/use existing VSI profile to impose on the guest IEEE 802.1Qbg protocol support Server Edge vivk@us.ibm.com Linux Collaboration Summit, 2011

  14. Legal Statement This work represents the view of the author and does not necessarily represent the view of IBM. IBM is a registered trademark of International Business Machines Corporation in the United States and/or other countries. UNIX is a registered trademark of The Open Group in the United States and other countries . Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. vivk@us.ibm.com Linux Collaboration Summit, 2011 14

  15. Questions? vivk@us.ibm.com Linux Collaboration Summit, 2011 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security Project 4. Next Steps With SCAP 5. Summary

388 views • 23 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management

506 views • 34 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides
13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context Computers connected in a network - but also: smartphones, fridges, IoT devices, Each device has an IP address Packets are routed via

771 views • 51 slides
Network from a High End Car Today: Wired embedded networks Characteristics and requirements

Network from a High End Car Today: Wired embedded networks Characteristics and requirements

Network from a High End Car Today: Wired embedded networks Characteristics and requirements Some embedded LANs SPI I2C LIN Ethernet Next lecture: CAN bus Then: 802.15.4 wireless embedded network Embedded

287 views • 5 slides
Intel e1000 Ethernet Controller Driver Intel e1000 controller Conclusion Ivan D elalande

Intel e1000 Ethernet Controller Driver Intel e1000 controller Conclusion Ivan D elalande

Intel e1000 Ethernet Controller Driver Ivan D elalande Introduction PCI Intel e1000 Ethernet Controller Driver Intel e1000 controller Conclusion Ivan D elalande colona@lse.epita.fr http://lse.epita.fr February 12, 2013 . . . . . .

709 views • 17 slides
Gigabit Ethernet Adapter (GigE) Version 1 Architecture William D. Richard, Ph.D. Washington

Gigabit Ethernet Adapter (GigE) Version 1 Architecture William D. Richard, Ph.D. Washington

Gigabit Ethernet Adapter (GigE) Version 1 Architecture William D. Richard, Ph.D. Washington wdr@ee.wustl.edu WASHINGTON UNIVERSITY IN ST LOUIS GigE Design Team William D. Richard Hardware Design Fred Kuhns Protocol Design

818 views • 20 slides
Link Layer: CSMA/CD, MAC addresses, ARP Smith College, CSC 249 March 27, 2018 1 Thursday Recap

Link Layer: CSMA/CD, MAC addresses, ARP Smith College, CSC 249 March 27, 2018 1 Thursday Recap

Link Layer: CSMA/CD, MAC addresses, ARP Smith College, CSC 249 March 27, 2018 1 Thursday Recap q Link layer services q Principles for multiple access protocols q Categories of multiple access protocols 2 1 Recap: Random Access Protocols q

371 views • 13 slides
Control room / DAQ WA105 computers Thierry VIANT / Yann Axel Rigault ETH Zrich 1 EP Control

Control room / DAQ WA105 computers Thierry VIANT / Yann Axel Rigault ETH Zrich 1 EP Control

EP Control room / DAQ WA105 computers Thierry VIANT / Yann Axel Rigault ETH Zrich 1 EP Control room : building 182 2-010 Control-room ~ 20 m Control-room close to the detector , on the same Clean room floor Detector 2 EP Control

490 views • 12 slides
Future Internet is by Ethernet Raimo Kantola Aalto University Finland www.re2ee.org Aalto

Future Internet is by Ethernet Raimo Kantola Aalto University Finland www.re2ee.org Aalto

Future Internet is by Ethernet Raimo Kantola Aalto University Finland www.re2ee.org Aalto University/Raimo Kantola 20.09.2010 Brisbane, Australia NoF IFIP 1 Agenda Big picture 3 tier model of R&amp;D&amp;D Principles

416 views • 18 slides
Outline Introduction Background Evaluation results Conclusions Future

Outline Introduction Background Evaluation results Conclusions Future

PDSW-DISCS16 Monday, November 14 th Salt Lake City, USA Towards Energy Efficient Data Management in HPC: The Open Ethernet Drive Approach Anthony Kougkas , Anthony Fleck, Xian-He Sun Outline Introduction Background Evaluation

813 views • 25 slides
1 Unreliable, connectionless service Ethernet uses CSMA/CD Connectionless: No handshaking

1 Unreliable, connectionless service Ethernet uses CSMA/CD Connectionless: No handshaking

The Data Link Layer Addressing Last time Our goals: different address scheme in different link layer services understand principles layers error detection, correction behind data link layer services: multiple access

584 views • 9 slides

More recommend